Didier Stevens, security researcher and expert on malicious PDF files, has succeeded in creating a proof-of-concept PDF file that uses the launch action triggered by the opening of the file to execute the embedded malicious executable.

"Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs)," says Stevens in his blog post.

The situation is worse with Foxit Reader, where such a message doesn't pop-up and the malicious file is executed automatically